One of the most popular WordPress plugins has a serious security flaw

Sead Fadilpašić

May 12, 2023 at 8:56 AM·2 min read

WordPress logo

A hugely popular plugin for the WordPress website builder was carrying a high-severity flaw that could have allowed threat actors to take full control of the target website, experts have found.

Cybersecurity researchers from PatchStack discovered a flaw in the “Essential Addons for Elementor” plugin - a library for the Elementor page builder, consisting of 90 different extensions.

The team claims more than a million WordPress sites have the library installed.

Stealing the website

The flaw, which has since been patched, is being tracked as CVE-2023-32243, and it’s described as an unauthenticated privilege escalation flaw on the password reset functionality. All versions from 5.4.0 up to 5.7.1 are vulnerable, the researchers are saying. Apparently, a threat actor could, with relative ease, reset the password of an admin account, assume control, and thus take over the entire website.

“It is possible to reset the password of any user as long as we know their username, thus being able to reset the password of the administrator and login on their account," PatchStack said. "This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user."

> WordPress plugin exposes half a million sites to attack

> Elementor website builder review

> Check out the best website builders out there

When a malicious actor takes control of a website, there are a number of things they could do, from stealing sensitive information and engaging in identity theft, to distributing malware and engaging in ad fraud.

Prior to exploiting the flaw, the attackers need to know a couple of things, including the username of the system’s admin. They also need to set a random value in POST 'page_id' and 'widget_id' inputs, as otherwise, the plugin would report an error to the actual admin. Furthermore, thes must provide the correct nonce value on the 'eael-resetpassword-nonce' as that validates the password reset and sets a new password on the 'eael-pass1' and 'eael-pass2' parameters.

If you’re using Essential Addons for Elementor, make sure to bring it up to version 5.7.2.

These are the best WordPress hosting services right now

Via: BleepingComputer

Yahoo Sports
NFL Draft: Packers fan upset with team's 1st pick, and Lions fans hilariously rubbed it in
Not everyone was thrilled with their team's draft on Thursday night.
14h ago
Yahoo Sports
NFL Draft fashion: Caleb Williams, Malik Nabers dressed to impress, but Marvin Harrison Jr.'s medallion stole the show
Every player was dressed to impress at the 2024 NFL Draft.
16h ago
Yahoo Finance
Jamie Dimon is worried the US economy is headed back to the 1970s
JPMorgan's CEO is concerned the US economy could be in for a repeat of the stagflation that hampered the country during the 1970s.
3d ago
Yahoo Sports
Broncos, Jets, Lions and Texans have new uniforms. Let's rank them
Which new uniforms are winners this season?
2d ago
Yahoo Sports
Based on the odds, here's what the top 10 picks of the NFL Draft will be
What would a mock draft look like using just betting odds?
4d ago
Yahoo Sports
Korey Cunningham, former NFL lineman, found dead in New Jersey home at age 28
Cunningham played 31 games in the NFL with the Cardinals, Patriots and Giants.
55m ago
Yahoo Sports
Fantasy Baseball Waiver Wire: Widely available players ready to help your squad
Andy Behrens has a fresh batch of priority pickups for fantasy managers looking to close out the week in strong fashion.
6h ago
Yahoo Sports
Luka makes Clippers look old, Suns are in big trouble & a funeral for Lakers | Good Word with Goodwill
Vincent Goodwill and Tom Haberstroh break down last night’s NBA Playoffs action and preview several games for tonight and tomorrow.
2d ago
Yahoo Sports
Dave McCarty, player on 2004 Red Sox championship team, dies 1 week after team's reunion
The Red Sox were already mourning the loss of Tim Wakefield from that 2004 team.
6d ago
Yahoo TV
Everyone's still talking about the 'SNL' Beavis and Butt-Head sketch. Cast members and experts explain why it's an instant classic.
Ryan Gosling, who starred in the skit, couldn't keep a straight face — and neither could some of the "Saturday Night Live" cast.
3d ago

News

Life

Entertainment

Finance

Sports

New on Yahoo

One of the most popular WordPress plugins has a serious security flaw

Stealing the website

Recommended Stories

NFL Draft: Packers fan upset with team's 1st pick, and Lions fans hilariously rubbed it in

NFL Draft fashion: Caleb Williams, Malik Nabers dressed to impress, but Marvin Harrison Jr.'s medallion stole the show

Jamie Dimon is worried the US economy is headed back to the 1970s

Broncos, Jets, Lions and Texans have new uniforms. Let's rank them

Based on the odds, here's what the top 10 picks of the NFL Draft will be

Korey Cunningham, former NFL lineman, found dead in New Jersey home at age 28

Fantasy Baseball Waiver Wire: Widely available players ready to help your squad

Luka makes Clippers look old, Suns are in big trouble & a funeral for Lakers | Good Word with Goodwill

Dave McCarty, player on 2004 Red Sox championship team, dies 1 week after team's reunion

Everyone's still talking about the 'SNL' Beavis and Butt-Head sketch. Cast members and experts explain why it's an instant classic.